Bug 242066
Summary: | [GTK] Frequent crashes on github.com in WebCore::RenderFileUploadControl::uploadButton | ||
---|---|---|---|
Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> |
Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Normal | CC: | bugs-noreply, Hironori.Fujii |
Priority: | P2 | ||
Version: | WebKit Nightly Build | ||
Hardware: | PC | ||
OS: | Linux |
Michael Catanzaro
Today I hit four crashes within two minutes when browsing github.com with 2.36.3. It's a null pointer dereference:
(gdb) bt
#0 WebCore::ContainerNode::firstChild() const (this=0x0)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/ContainerNode.h:43
#1 WebCore::RenderFileUploadControl::uploadButton() const (this=<optimized out>)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/RenderFileUploadControl.cpp:246
#2 0x00007f37cc758304 in WebCore::RenderFileUploadControl::updateFromElement() (this=0x7f37401dac80)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/RenderFileUploadControl.cpp:78
#3 0x00007f37cbf50206 in WebCore::HTMLInputElement::didAttachRenderers() (this=0x7f36b825b020)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/html/HTMLInputElement.cpp:875
#4 0x00007f37cc97b947 in WebCore::RenderTreeUpdater::popParent() (this=0x7ffc02234600)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:237
#5 0x00007f37cc97c778 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int)
(depth=<optimized out>, this=<optimized out>)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:250
#6 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=0x7ffc02234600, root=<optimized out>)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:158
#7 0x00007f37cc97cf1b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) (Python Exception <class 'gdb.error'>: Request for member '_M_head_impl' is ambiguous in type 'std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> >'. Candidates are:
'std::default_delete<WebCore::Style::Update const> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<1, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>)
'<unnamed type> std::_Head_base<0, WebCore::Style::Update const*, false>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<0, WebCore::Style::Update const*, false>)
this=0x7ffc02234600, styleUpdate=...)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:125
#8 0x00007f37cbccde2c in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) (this=this@entry=Python Exception <class 'gdb.error'>: Request for member '_M_head_impl' is ambiguous in type 'std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> >'. Candidates are:
'std::default_delete<WebCore::Style::Update const> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<1, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>)
'<unnamed type> std::_Head_base<0, WebCore::Style::Update const*, false>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<0, WebCore::Style::Update const*, false>)
0x7f37c1eadcb0, styleUpdate=...)
at /usr/include/c++/11.2.0/bits/unique_ptr.h:172
#9 0x00007f37cbce78cd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)
(this=this@entry=0x7f37c1eadcb0, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal)
at /usr/include/c++/11.2.0/bits/move.h:77
#10 0x00007f37cbce7f1f in WebCore::Document::updateStyleIfNeeded() (this=0x7f37c1eadcb0)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Document.cpp:2182
#11 0x00007f37cbce921e in WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) (this=0x7f37c1eadcb0, element=..., dimensionsCheck=dimensionsCheck@entry=WebCore::HeightDimensionsCheck)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Document.cpp:2287
#12 0x00007f37cbd0b853 in WebCore::Element::offsetHeight() (this=0x7f36785a6d00)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Element.cpp:1302
#13 0x00007f37cb15c511 in WebCore::jsHTMLElement_offsetHeightGetter
(thisObject=<optimized out>, lexicalGlobalObject=<optimized out>)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4157
#14 WebCore::IDLAttribute<WebCore::JSHTMLElement>::get<WebCore::jsHTMLElement_offsetHeightGetter, (WebCore::CastedThisErrorBehavior)3> (attributeName=..., thisValue=<optimized out>, lexicalGlobalObject=<optimized out>)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/bindings/js/JSDOMAttribute.h:88
#15 WebCore::jsHTMLElement_offsetHeight(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::PropertyName)
(lexicalGlobalObject=<optimized out>, thisValue=<optimized out>, attributeName=...)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4162
#16 0x00007f37c919f715 in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const
(this=this@entry=0x7ffc02234e10, vm=<optimized out>, propertyName=..., propertyName@entry=...)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/PropertySlot.cpp:47
#17 0x00007f37c8de06f3 in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const
(propertyName=..., globalObject=0x7f37c1525068, this=0x7ffc02234e10)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/PropertySlot.h:408
#18 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const
(slot=..., propertyName=..., globalObject=<optimized out>, this=0x7ffc02234dc8)
at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1021
#19 JSC::LLInt::performLLIntGetByID(JSC::Instruction const*, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)
(pc=0x7f361820db05, codeBlock=0x7f35c8eac400, globalObject=<optimized out>, baseValue=..., ident=..., metadata=...) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814
#20 0x00007f37c8de11d9 in JSC::LLInt::llint_slow_path_get_by_id(JSC::CallFrame*, JSC::Instruction const*)
(callFrame=0x7ffc02235090, pc=0x7f361820db05) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888
#21 0x00007f37c82deb4d in llint_op_get_by_id () at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:102
#22 0x0000000000000000 in ()
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Fujii Hironori
*** This bug has been marked as a duplicate of bug 241954 ***